Upgrade Jetstack Cert-Manager v1.0.4 (#6937)

roles/download/defaults/main.yml

@@ -507,7 +507,7 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
 ingress_ambassador_image_tag: "v1.2.9"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
-cert_manager_version: "v0.16.1"
+cert_manager_version: "v1.0.4"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
 cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"

roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2

@@ -16,278 +16,483 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-cainjector
   labels:
     app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["certificates"]
+  - cert-manager.io
-    verbs: ["get", "list", "watch"]
+  resources:
-  - apiGroups: [""]
+  - certificates
-    resources: ["secrets"]
+  verbs:
-    verbs: ["get", "list", "watch"]
+  - get
-  - apiGroups: [""]
+  - list
-    resources: ["events"]
+  - watch
-    verbs: ["get", "create", "update", "patch"]
+- apiGroups:
-  - apiGroups: ["admissionregistration.k8s.io"]
+  - ""
-    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+  resources:
-    verbs: ["get", "list", "watch", "update"]
+  - secrets
-  - apiGroups: ["apiregistration.k8s.io"]
+  verbs:
-    resources: ["apiservices"]
+  - get
-    verbs: ["get", "list", "watch", "update"]
+  - list
-  - apiGroups: ["apiextensions.k8s.io"]
+  - watch
-    resources: ["customresourcedefinitions"]
+- apiGroups:
-    verbs: ["get", "list", "watch", "update"]
+  - ""
-  - apiGroups: ["auditregistration.k8s.io"]
+  resources:
-    resources: ["auditsinks"]
+  - events
-    verbs: ["get", "list", "watch", "update"]
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - auditregistration.k8s.io
+  resources:
+  - auditsinks
+  verbs:
+  - get
+  - list
+  - watch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
   name: cert-manager-controller-issuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["issuers", "issuers/status"]
+  - cert-manager.io
-    verbs: ["update"]
+  resources:
-  - apiGroups: ["cert-manager.io"]
+  - issuers
-    resources: ["issuers"]
+  - issuers/status
-    verbs: ["get", "list", "watch"]
+  verbs:
-  - apiGroups: [""]
+  - update
-    resources: ["secrets"]
+- apiGroups:
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - cert-manager.io
-  - apiGroups: [""]
+  resources:
-    resources: ["events"]
+  - issuers
-    verbs: ["create", "patch"]
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
   name: cert-manager-controller-clusterissuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["clusterissuers", "clusterissuers/status"]
+  - cert-manager.io
-    verbs: ["update"]
+  resources:
-  - apiGroups: ["cert-manager.io"]
+  - clusterissuers
-    resources: ["clusterissuers"]
+  - clusterissuers/status
-    verbs: ["get", "list", "watch"]
+  verbs:
-  - apiGroups: [""]
+  - update
-    resources: ["secrets"]
+- apiGroups:
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - cert-manager.io
-  - apiGroups: [""]
+  resources:
-    resources: ["events"]
+  - clusterissuers
-    verbs: ["create", "patch"]
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
   name: cert-manager-controller-certificates
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+  - cert-manager.io
-    verbs: ["update"]
+  resources:
-  - apiGroups: ["cert-manager.io"]
+  - certificates
-    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+  - certificates/status
-    verbs: ["get", "list", "watch"]
+  - certificaterequests
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  - certificaterequests/status
-  # admission controller enabled:
+  verbs:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - update
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+  - cert-manager.io
-    verbs: ["update"]
+  resources:
-  - apiGroups: ["acme.cert-manager.io"]
+  - certificates
-    resources: ["orders"]
+  - certificaterequests
-    verbs: ["create", "delete", "get", "list", "watch"]
+  - clusterissuers
-  - apiGroups: [""]
+  - issuers
-    resources: ["secrets"]
+  verbs:
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - get
-  - apiGroups: [""]
+  - list
-    resources: ["events"]
+  - watch
-    verbs: ["create", "patch"]
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates/finalizers
+  - certificaterequests/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
   name: cert-manager-controller-orders
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["acme.cert-manager.io"]
+- apiGroups:
-    resources: ["orders", "orders/status"]
+  - acme.cert-manager.io
-    verbs: ["update"]
+  resources:
-  - apiGroups: ["acme.cert-manager.io"]
+  - orders
-    resources: ["orders", "challenges"]
+  - orders/status
-    verbs: ["get", "list", "watch"]
+  verbs:
-  - apiGroups: ["cert-manager.io"]
+  - update
-    resources: ["clusterissuers", "issuers"]
+- apiGroups:
-    verbs: ["get", "list", "watch"]
+  - acme.cert-manager.io
-  - apiGroups: ["acme.cert-manager.io"]
+  resources:
-    resources: ["challenges"]
+  - orders
-    verbs: ["create", "delete"]
+  - challenges
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  verbs:
-  # admission controller enabled:
+  - get
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - list
-  - apiGroups: ["acme.cert-manager.io"]
+  - watch
-    resources: ["orders/finalizers"]
+- apiGroups:
-    verbs: ["update"]
+  - cert-manager.io
-  - apiGroups: [""]
+  resources:
-    resources: ["secrets"]
+  - clusterissuers
-    verbs: ["get", "list", "watch"]
+  - issuers
-  - apiGroups: [""]
+  verbs:
-    resources: ["events"]
+  - get
-    verbs: ["create", "patch"]
+  - list
+  - watch
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - orders/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
   name: cert-manager-controller-challenges
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  # Use to update challenge resource status
+- apiGroups:
-  - apiGroups: ["acme.cert-manager.io"]
+  - acme.cert-manager.io
-    resources: ["challenges", "challenges/status"]
+  resources:
-    verbs: ["update"]
+  - challenges
-  # Used to watch challenge resources
+  - challenges/status
-  - apiGroups: ["acme.cert-manager.io"]
+  verbs:
-    resources: ["challenges"]
+  - update
-    verbs: ["get", "list", "watch"]
+- apiGroups:
-  # Used to watch challenges, issuer and clusterissuer resources
+  - acme.cert-manager.io
-  - apiGroups: ["cert-manager.io"]
+  resources:
-    resources: ["issuers", "clusterissuers"]
+  - challenges
-    verbs: ["get", "list", "watch"]
+  verbs:
-  # Need to be able to retrieve ACME account private key to complete challenges
+  - get
-  - apiGroups: [""]
+  - list
-    resources: ["secrets"]
+  - watch
-    verbs: ["get", "list", "watch"]
+- apiGroups:
-  # Used to create events
+  - cert-manager.io
-  - apiGroups: [""]
+  resources:
-    resources: ["events"]
+  - issuers
-    verbs: ["create", "patch"]
+  - clusterissuers
-  # HTTP01 rules
+  verbs:
-  - apiGroups: [""]
+  - get
-    resources: ["pods", "services"]
+  - list
-    verbs: ["get", "list", "watch", "create", "delete"]
+  - watch
-  - apiGroups: ["extensions"]
+- apiGroups:
-    resources: ["ingresses"]
+  - ""
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  resources:
-  # We require the ability to specify a custom hostname when we are creating
+  - secrets
-  # new ingress resources.
+  verbs:
-  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
+  - get
-  - apiGroups: ["route.openshift.io"]
+  - list
-    resources: ["routes/custom-host"]
+  - watch
-    verbs: ["create"]
+- apiGroups:
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  - ""
-  # admission controller enabled:
+  resources:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - events
-  - apiGroups: ["acme.cert-manager.io"]
+  verbs:
-    resources: ["challenges/finalizers"]
+  - create
-    verbs: ["update"]
+  - patch
-  # DNS01 rules (duplicated above)
+- apiGroups:
-  - apiGroups: [""]
+  - ""
-    resources: ["secrets"]
+  resources:
-    verbs: ["get", "list", "watch"]
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - update
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes/custom-host
+  verbs:
+  - create
+- apiGroups:
+  - acme.cert-manager.io
+  resources:
+  - challenges/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
   name: cert-manager-controller-ingress-shim
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["certificates", "certificaterequests"]
+  - cert-manager.io
-    verbs: ["create", "update", "delete"]
+  resources:
-  - apiGroups: ["cert-manager.io"]
+  - certificates
-    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+  - certificaterequests
-    verbs: ["get", "list", "watch"]
+  verbs:
-  - apiGroups: ["extensions"]
+  - create
-    resources: ["ingresses"]
+  - update
-    verbs: ["get", "list", "watch"]
+  - delete
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+- apiGroups:
-  # admission controller enabled:
+  - cert-manager.io
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  resources:
-  - apiGroups: ["extensions"]
+  - certificates
-    resources: ["ingresses/finalizers"]
+  - certificaterequests
-    verbs: ["update"]
+  - issuers
-  - apiGroups: [""]
+  - clusterissuers
-    resources: ["events"]
+  verbs:
-    verbs: ["create", "patch"]
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-view
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: cert-manager-view
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["certificates", "certificaterequests", "issuers"]
+  - cert-manager.io
-    verbs: ["get", "list", "watch"]
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager-edit
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    app.kubernetes.io/name: cert-manager
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: cert-manager-edit
 rules:
-  - apiGroups: ["cert-manager.io"]
+- apiGroups:
-    resources: ["certificates", "certificaterequests", "issuers"]
+  - cert-manager.io
-    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+  resources:
+  - certificates
+  - certificaterequests
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update

roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2

@@ -16,139 +16,125 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-cainjector
   labels:
     app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-cainjector
 subjects:
-  - name: cert-manager-cainjector
+- kind: ServiceAccount
+  name: cert-manager-cainjector
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-issuers
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-issuers
 subjects:
-  - name: cert-manager
+- kind: ServiceAccount
+  name: cert-manager
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-clusterissuers
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-clusterissuers
 subjects:
-  - name: cert-manager
+- kind: ServiceAccount
+  name: cert-manager
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-certificates
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-certificates
 subjects:
-  - name: cert-manager
+- kind: ServiceAccount
+  name: cert-manager
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-orders
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-orders
 subjects:
-  - name: cert-manager
+- kind: ServiceAccount
+  name: cert-manager
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-challenges
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-challenges
 subjects:
-  - name: cert-manager
+- kind: ServiceAccount
+  name: cert-manager
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager-controller-ingress-shim
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-controller-ingress-shim
 subjects:
-  - name: cert-manager
+- kind: ServiceAccount
+  name: cert-manager
   namespace: {{ cert_manager_namespace }}
-    kind: ServiceAccount

roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2

@@ -16,38 +16,30 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager-cainjector
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: cainjector
-      app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/component: cainjector
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: cainjector
   template:
     metadata:
       labels:
         app: cainjector
-        app.kubernetes.io/name: cainjector
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: cainjector
-        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: cainjector
     spec:
-      serviceAccountName: cert-manager-cainjector
       containers:
-        - name: cert-manager
+      - args:
-          image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          args:
         - --v=2
         - --leader-election-namespace=kube-system
         env:
@@ -55,123 +47,122 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-          resources:
+        image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
-            {}
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        name: cert-manager
+        resources: {}
+      serviceAccountName: cert-manager-cainjector
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: cert-manager
-      app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: cert-manager
   template:
     metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9402"
+        prometheus.io/scrape: "true"
       labels:
         app: cert-manager
-        app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: controller
-        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/instance: cert-manager
-        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+        app.kubernetes.io/name: cert-manager
-      annotations:
-        prometheus.io/path: "/metrics"
-        prometheus.io/scrape: 'true'
-        prometheus.io/port: '9402'
     spec:
-      serviceAccountName: cert-manager
       containers:
-        - name: cert-manager
+      - args:
-          image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          args:
         - --v=2
         - --cluster-resource-namespace=$(POD_NAMESPACE)
         - --leader-election-namespace=kube-system
-          ports:
-          - containerPort: 9402
-            protocol: TCP
         env:
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-          resources:
+        image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
-            {}
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        name: cert-manager
+        ports:
+        - containerPort: 9402
+          protocol: TCP
+        resources: {}
+      serviceAccountName: cert-manager
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-manager-webhook
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: webhook
-      app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/component: webhook
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/name: webhook
   template:
     metadata:
       labels:
         app: webhook
-        app.kubernetes.io/name: webhook
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: webhook
-        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/name: webhook
     spec:
-      serviceAccountName: cert-manager-webhook
       containers:
-        - name: cert-manager
+      - args:
-          image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
-          imagePullPolicy: {{ k8s_image_pull_policy }}
-          args:
         - --v=2
         - --secure-port=10250
         - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
         - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
-          - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+        - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.{{ cert_manager_namespace }},cert-manager-webhook.{{ cert_manager_namespace }}.svc
-          ports:
+        env:
-          - name: https
+        - name: POD_NAMESPACE
-            containerPort: 10250
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
+        imagePullPolicy: {{ k8s_image_pull_policy }}
         livenessProbe:
+          failureThreshold: 3
           httpGet:
             path: /livez
             port: 6080
             scheme: HTTP
           initialDelaySeconds: 60
           periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: cert-manager
+        ports:
+        - containerPort: 10250
+          name: https
         readinessProbe:
+          failureThreshold: 3
           httpGet:
             path: /healthz
             port: 6080
             scheme: HTTP
           initialDelaySeconds: 5
           periodSeconds: 5
-          env:
+          successThreshold: 1
-          - name: POD_NAMESPACE
+          timeoutSeconds: 1
-            valueFrom:
+        resources: {}
-              fieldRef:
+      serviceAccountName: cert-manager-webhook
-                fieldPath: metadata.namespace
-          resources:
-            {}

roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2

@@ -16,70 +16,85 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: cert-manager-cainjector:leaderelection
-  namespace: kube-system
   labels:
     app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
 rules:
-  # Used for leader election by the controller
+- apiGroups:
-  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
+  - ""
-  #   see cmd/cainjector/start.go#L113
+  resourceNames:
-  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
+  - cert-manager-cainjector-leader-election
-  #   see cmd/cainjector/start.go#L137
+  - cert-manager-cainjector-leader-election-core
-  - apiGroups: [""]
+  resources:
-    resources: ["configmaps"]
+  - configmaps
-    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
+  verbs:
-    verbs: ["get", "update", "patch"]
+  - get
-  - apiGroups: [""]
+  - update
-    resources: ["configmaps"]
+  - patch
-    verbs: ["create"]
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: cert-manager:leaderelection
-  namespace: kube-system
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
 rules:
-  # Used for leader election by the controller
+- apiGroups:
-  - apiGroups: [""]
+  - ""
-    resources: ["configmaps"]
+  resourceNames:
-    resourceNames: ["cert-manager-controller"]
+  - cert-manager-controller
-    verbs: ["get", "update", "patch"]
+  resources:
-  - apiGroups: [""]
+  - configmaps
-    resources: ["configmaps"]
+  verbs:
-    verbs: ["create"]
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: cert-manager-webhook:dynamic-serving
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook:dynamic-serving
+  namespace: {{ cert_manager_namespace }}
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["secrets"]
+  - ""
   resourceNames:
-  - 'cert-manager-webhook-ca'
+  - cert-manager-webhook-ca
-  verbs: ["get", "list", "watch", "update"]
+  resources:
-# It's not possible to grant CREATE permission on a single resourceName.
+  - secrets
-- apiGroups: [""]
+  verbs:
-  resources: ["secrets"]
+  - get
-  verbs: ["create"]
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create

roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2

@@ -16,15 +16,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cert-manager-cainjector:leaderelection
-  namespace: kube-system
   labels:
     app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -37,15 +35,13 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cert-manager:leaderelection
-  namespace: kube-system
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager:leaderelection
+  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -59,15 +55,13 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cert-manager-webhook:dynamic-serving
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook:dynamic-serving
+  namespace: {{ cert_manager_namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2

@@ -16,38 +16,32 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager-cainjector
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cainjector
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cainjector
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cert-manager-webhook
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}

roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2

@@ -16,45 +16,41 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: cert-manager
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
 spec:
-  type: ClusterIP
   ports:
-    - protocol: TCP
+  - port: 9402
-      port: 9402
+    protocol: TCP
     targetPort: 9402
   selector:
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: cert-manager
+  type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: cert-manager-webhook
-  namespace: {{ cert_manager_namespace }}
   labels:
     app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
 spec:
-  type: ClusterIP
   ports:
   - name: https
     port: 443
     targetPort: 10250
   selector:
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  type: ClusterIP

roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2

@@ -13,82 +13,82 @@
 # limitations under the License.
 
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: cert-manager-webhook
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
   labels:
     app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    app.kubernetes.io/instance: cert-manager
-  annotations:
+    app.kubernetes.io/name: webhook
-    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+  name: cert-manager-webhook
 webhooks:
-  - name: webhook.cert-manager.io
+- admissionReviewVersions:
-    rules:
+  - v1
-      - apiGroups:
+  - v1beta1
-          - "cert-manager.io"
-          - "acme.cert-manager.io"
-        apiVersions:
-          - "*"
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - "*/*"
-    failurePolicy: Fail
-    # Only include 'sideEffects' field in Kubernetes 1.12+
-    sideEffects: None
   clientConfig:
     service:
       name: cert-manager-webhook
       namespace: {{ cert_manager_namespace }}
       path: /mutate
----
+  failurePolicy: Fail
-apiVersion: admissionregistration.k8s.io/v1beta1
+  name: webhook.cert-manager.io
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: cert-manager-webhook
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/component: webhook
-    helm.sh/chart: cert-manager-{{ cert_manager_version }}
-  annotations:
-    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
-  - name: webhook.cert-manager.io
-    namespaceSelector:
-      matchExpressions:
-      - key: "cert-manager.io/disable-validation"
-        operator: "NotIn"
-        values:
-        - "true"
-      - key: "name"
-        operator: "NotIn"
-        values:
-        - cert-manager
   rules:
   - apiGroups:
-          - "cert-manager.io"
+    - cert-manager.io
-          - "acme.cert-manager.io"
+    - acme.cert-manager.io
     apiVersions:
-          - "*"
+    - '*'
     operations:
     - CREATE
     - UPDATE
     resources:
-          - "*/*"
+    - '*/*'
-    failurePolicy: Fail
-    # Only include 'sideEffects' field in Kubernetes 1.12+
   sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: webhook
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/name: webhook
+  name: cert-manager-webhook
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
   clientConfig:
     service:
       name: cert-manager-webhook
       namespace: {{ cert_manager_namespace }}
       path: /validate
+  failurePolicy: Fail
+  name: webhook.cert-manager.io
+  namespaceSelector:
+    matchExpressions:
+    - key: cert-manager.io/disable-validation
+      operator: NotIn
+      values:
+      - "true"
+    - key: name
+      operator: NotIn
+      values:
+      - cert-manager
+  rules:
+  - apiGroups:
+    - cert-manager.io
+    - acme.cert-manager.io
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*/*'
+  sideEffects: None